OS X Server, Internal DNS and Apple Airport Extreme

This isn't an OS X Server issue, that there cannot be a second and separate DNS server is a known limitation of the AirPort firmware. You also clearly already know about the approaches available, most commonly of which includes implementing a second WiFi device as the guest network.

You can do that in the "Internet" Tap in Airport Utility when editing the AirPort Extreme

This will make your OSX Server DNS Service as the primary and your ISP or Google DNS/OpenDNS as the backup.

On the OSX Server DNS Service, setup a forwarder to your ISP or other DNS server. This way the clients will first check with your internal server before going to the internet.

Is that what you're looking for ?

FadiKelzia: Via the guest network, the clients won't be able to reach the local 192.168.1.0/24 address, so the guest DHCP clients would more typically then try the Google 8.8.8.8 DNS server, and get a public translation. But out of curiosity, what happens if a local DHCP client asks for a local DNS translation and happens to pick the Google 8.8.8.8 as its DNS server? That'd return a failure. Some clients don't retry after failures. Querying 8.8.8.8 might possibly also return a public IP address, depending on the local DNS configuration, too; if there are both private and public authoritative servers.

Forwarders on a DNS server mean all your queries go via the specified DNS server, which is useful for nanny filters and such, but it's just as easy for the DNS server to go direct to the root servers and get the translations itself. The only general "win" with a forwarder is if the forwarder has the DNS translation cached and your local DNS server doesn't, and once your DNS server has the translation cached, it won't bother asking the forwarder again.

Primary and secondary DNS are expected to contain the same naming space.

An external DNS will probably not know any internal names you define in your own server.

If you want clients to routinely try your local DNS and fail over to an external DNS the above may "sort of" work.

Client's will be slow when failing over.

Personally I either avoid running DNS locally OR I use local DNS exclusively.

The latter requires two servers for redundancy.

piperspace wrote:

...Personally I either avoid running DNS locally OR I use local DNS exclusively.

The latter requires two servers for redundancy.

If you're running OS X Server, you need local DNS services, as was the start of this thread (combined with an Airport-based guest network, which gets tangled with local DNS services). Either running on OS X Server, configured a firewall with an integrated DNS server (that's with a DNS server and not with the more typical DNS resolver; firewall-based DNS servers are available, but they're not entry-level gear), or via one or more Linux boxes or Windows Server boxes, etc.

I run OSX Server from time to time without DNS. I use it for imaging and such.

I also run a Windows Domain Server. It has DNS on it but I don't use that for clients either.

My clients all use external DNS plus a few local names provided by my router.

Things work fine.

@MrHoffman

Agreed, the Guest network will not have access to the local range. I missed that part.

In my setup, the second DNS is google server because i don't want the internet to stop working if the local server is not operational, this way at least Internet will be available.

- Client contacts Primary DNS, If it fails to reach it, it will go to the secondary. Well, to be more accurate, the OS will choose the fastest DNS server it can reach first. Ideally that would be the local server.

In a normal day when everyting is up and running:

- Client contacts the Primary DNS (OSX Server DNS), if the query is a local DNS record , it will serve the IP.

- If the query is not a local record, it will send it to the forwarder DNS server defined in the DNS service (ISP DNS or Google DNS)

For the guest network, It would be worth checking to do the following:

- Add a second Wifi network interface on the server and connect it to the guest network IP address.

- On the AirPort Extreme, put the Guest network IP address of the OSX Server in the secondary DNS field.

In this case the guest clients will always try to reach the local network DNS first and then failover to the guest network IP of the DNS server.

@piperspace

Well, a home router is already working as a local DNS server that tries to resolve locally then forwards to an external DNS server when it cannot resolve the name.

Primary and secondary in an enterprise space will surely be a main and a backup and both contain the same name spaces. But the point here was about home use and therefore the purpose will be a backup DNS server for the internet at least.

Yeah - I missed the point about guests not seeing the local IP range too.

I can't think of an elegant way to work around that.